The entries in my blog are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer, except where explicitly stated.

Needless to say, a blog is a snapshot in time. As I interact with the community at large, and learn more about various topics, my thoughts and opinions are subject to change. As such you should not consider out of date posts to reflect my current thoughts and opinions.

The Threat Modeling process as defined here is context-relevant (i.e. The threat model for a Web App is going to be different from a Win Forms application) as well as a more iterative process. The iterative threat modeling process as defined here consist of:

Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.

Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.

Beyond the above there are also Templates that can quickly get you started, a web application security frame that uses categories to organize security vulnerabilities, as well as Tool integration with the Visual Studio Team System.

In short this is an great piece of work by the same folks who brought you "Improving Web Applications Security", "Perf & Scale" and more (Way to go J.D!)

I was fortunate enough to have the opportunity to contribute to this work as well as act as an external reviewer. Because of that experience, I believe that this particular work will make Threat Modeling much more approachable and understandable to the people who really need to utilize Threat Modeling; The developers in the trenches.